{
  "threat_severity" : "Low",
  "public_date" : "2026-05-27T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: KVM: SVM: Add missing save/restore handling of LBR MSRs",
    "id" : "2482128",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2482128"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-372",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nKVM: SVM: Add missing save/restore handling of LBR MSRs\nMSR_IA32_DEBUGCTLMSR and LBR MSRs are currently not enumerated by\nKVM_GET_MSR_INDEX_LIST, and LBR MSRs cannot be set with KVM_SET_MSRS. So\nsave/restore is completely broken.\nFix it by adding the MSRs to msrs_to_save_base, and allowing writes to\nLBR MSRs from userspace only (as they are read-only MSRs) if LBR\nvirtualization is enabled.  Additionally, to correctly restore L1's LBRs\nwhile L2 is running, make sure the LBRs are copied from the captured\nVMCB01 save area in svm_copy_vmrun_state().\nNote, for VMX, this also fixes a flaw where MSR_IA32_DEBUGCTLMSR isn't\nreported as an MSR to save/restore.\nNote #2, over-reporting MSR_IA32_LASTxxx on Intel is ok, as KVM already\nhandles unsupported reads and writes thanks to commit b5e2fec0ebc3 (\"KVM:\nIgnore DEBUGCTL MSRs with no effect\") (kvm_do_msr_access() will morph the\nunsupported userspace write into a nop).\n[sean: guard with lbrv checks, massage changelog]", "A flaw was found in the Linux kernel's Kernel-based Virtual Machine (KVM) and Secure Virtual Machine (SVM) components. This vulnerability is due to missing save and restore handling for Last Branch Record (LBR) Model Specific Registers (MSRs) and MSR_IA32_DEBUGCTLMSR. A local attacker with access to a virtual machine could potentially exploit this to cause incorrect state restoration of LBRs in nested virtualization environments. This could lead to unexpected behavior or information inconsistencies across virtual machines." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-46014\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-46014\nhttps://lore.kernel.org/linux-cve-announce/2026052745-CVE-2026-46014-5f5a@gregkh/T" ],
  "name" : "CVE-2026-46014",
  "csaw" : false
}